The 7 Principles Of The GDPR

If you read the text of the GDPR, you will find that it’s broken up into Articles and Recitals. The Articles state the law and the Recitals convey it’s intent and provide guidance on the law makers’ reasoning behind each article. Below, we will answer “what are the 7 principles of the GDPR.” These 7 principles are the goals or intent of the GDPR.

1. Lawfulness, Fairness And Transparency

What does it mean to process data in a manner that is lawful, fair and transparent? There are a few boxes you need to check, here.

Lawfulness

In order for processing (or using someone’s data) to be lawful, one of these conditions must be met.

1. Consent was given (defined as: clear, informed, unambiguous and freely given). This is usually considered to be the reason of last resort. Because of the very high standard to clear for consent to be given, in many cases it is safer to rely upon other criteria for processing.
2. Contractual necessity in order to meet the obligation of a contract which the data subject is party to
3. Legal necessity (e.g. accounting/taxation, answering a legal and lawful inquiry from authorities)
4. Protect the vital interests of the data subject or another (e.g. accessing health records in an emergency)
5. Public interest. If you have responsibility and authority involving the wellbeing of the public, public interest can be a lawful reason to process data
6. Legitimate interest. In the case where you can demonstrate you have a right to use this data and the rights of the data subject do not supersede yours

Fairness

Fairness is very much like lawfulness but not as clearly defined. In order for processing to be fair, you have to meet the requirement for lawful processing first and then use the data in a manner that the data subject would reasonably expect. If you are given the data to provide goods or services and then you sell it or share it for an unrelated purpose, that could be considered unfair.

Additionally, you must request only the data needed to provide those goods or services. It is not fair to require someone to provide personal information if it is not relevant to the business at hand.

Transparency

Part of fairness is transparency. To be transparent, you have to use data for the reasons that you request it and only request what is needed for that reason. A big part of this is in your privacy notice. Be clear, easily understood and upfront about what you’re doing.

Pro-Tip: One of the fastest ways to find your way onto a regulator’s radar other than outright lying is asking for data that is not needed and making it a condition of goods or services. It makes people mad and mad people tend to complain.

2. Purpose Limitation

Article 5(1)(b) says that personal data shall be collected for specified, explicit and legitimate purposes and no other use of the data is permitted that is not compatible with those purposes. What does this mean? In essence, it means that you can use data that you collect from someone for providing them the service or goods and the things that would be reasonably expected to run your business (like internal reporting or accounting).

What you can’t do is ask for more data than is reasonable – especially as a condition of service – and then use it for reasons not compatible for why it was given to you. Keeping track of this is very difficult. One of the cornerstones of a well designed privacy program is tracking and putting controls in place to observe the purpose limitation.

3. Data Minimization

The GDPR (article(5)(1)(c)) says about data minimization that personal data processing should be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.” This means you should use only the data you need to achieve your purpose (assuming lawful and fair) and no more.

This runs contrary to deeply held views in the IT world (I am an application dev of 20 years). We like to innovate and to do so in this context – the more data and history the better. We also like to “build once” so we tend to grab more than what we need in an effort to anticipate our user’s future requests. So you can clearly see how data minimization and engineering practices can be at odds.

Because of these IT practices and the massive amount of data that is now collected, many companies are finding themselves in a data graveyard. This is a situation where they have so much data, they can’t tell useful from not and they struggle to not only gain the insights they need to run their business but also face the threat of non-compliance. Both are obviously serious. For both of these reasons, data acquisition and retention practices are vital to a company’s strategy for business intelligence and compliance.

4. Accuracy

This one is often overlooked as most of us look at data inaccuracy as something which hurts our companies. The GDPR looks at it differently. It views it more as a disservice to the individual that the data is about. The highpoints of what are required here are:

1. Accurate
2. Up to date
3. Complete

If these criteria are not met, a decision needs to be made about rectification or deletion.

Pro-Tip: Do you have a running record of individuals who have asked to have their data rectified or deleted? If so, is it programmatically referenced from every data channel into your company preventing reacquisition of incorrect data or data you’ve been asked to delete?

5. Storage Limitation

The GDPR requires a retention limit or policy for how long you will hold onto data about individuals. A policy like this requires a lot of thought as there are many considerations. Typically, this process involves categories of data and a retention period for each category.

As example, some data may be held for 7 years for tax purposes while other data may only be for 3 years due to statutory limits on the product or service. Once that period has expired, some minimization technique such as anonymization or pseudonymization is employed to remove the ability to identify an individual.

6. Confidentiality And Integrity

What does this look like, exactly? Start with security. What is appropriate for your company? Using both technical and organizations measures (TOMs) ensure that:

1. Appropriate security (with risk to the data subject in mind)
   Rather than going back to the law, we will just say that if you are talking about special category data or data that could cause harm to individuals’ privacy, appropriate security means a greater level of diligence than if the data you’re processing isn’t as sensitive.
2. Prevent unauthorized or unlawful use of data
   Unauthorized or unlawful use of data. This can be internal or external. It is your responsibility to make sure that no one uses your data for any reason that it is not intended and no one has access to it that does not need it. See Zero Trust.
3. Accidental loss, destruction or damage of data
   There is a difference between deleting data because it has expired in your retention policy or you can’t reconcile it with data you know to be accurate vs. being hacked and losing/corrupting data that you are responsible for. If say, a credit bureau were to lose data about a person and then they couldn’t get a loan or suffered some other negative consequence. This would be a violation just as misusing data would be.

7. Accountability

Compliance with the GDPR requires more than not doing anything wrong or the absence of a complaint. The GDPR requires you to be able to demonstrate that your company is compliant and supervisory authorities (from GDPR protected countries) can ask for evidence of a functioning privacy program even if there is no allegation you’ve done something wrong. You want to be able to demonstrate what you’re doing, why you’re doing it and that it is not just a project that is complete. They want to see that the first 6 principles are part of how you do business (privacy by design, privacy by default) and your technical and organizational measures (TOMs) will have privacy considered in the future.

Conclusion:

The 7 principles of the GDPR embody the intent of the law. They represent broad categories of what should govern companies’ decisions and plans with regards to data about individuals. Achieving the 7th principle of Accountability is being able to demonstrate compliance with the first 6…  which is the essence of privacy by design. Privacy by design, really is the goal of the regulation.